CVE-2005-2123
CVSS7.5
发布时间 :2005-11-29 16:03:00
修订时间 :2011-03-07 21:23:27
NMCOPS    

[原文]Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.


[CNNVD]Microsoft Windows图形渲染引擎整数溢出漏洞(MS05-053)(CNNVD-200511-472)

        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows在渲染Windows图元文件(WMF)和增强型图元文件(EMF)图形格式时存在缓冲区溢出漏洞,成功利用这个漏洞的攻击者可以远程执行任意代码。
        负责解析Windows图元文件的GDI32.DLL代码的PlayMetaFileRecord函数中存在缓冲区溢出漏洞。该函数的36h和37h处理"SetPaletteEntries"-类型记录。如果记录的报告长度是7FFFFFFFh或FFFFFFFFh的话,以下代码就会出现整数溢出:
        77F5BC38 mov eax, [ebx] ; length field
        77F5BC3A lea eax, [eax+eax+2] ; *** integer overflow ***
        77F5BC3E push eax
        77F5BC3F push edi
        77F5BC40 call ds:LocalAlloc
        ...
        77F5BC51 mov ecx, [ebx] ; length field
        77F5BC53 add eax, 2
        77F5BC56 shl ecx, 1 ; copy size != allocation size
        77F5BC58 mov edx, ecx ; intrinsic memcpy() follows
        77F5BC5A mov esi, ebx
        77F5BC5C mov edi, eax
        77F5BC5E shr ecx, 2
        77F5BC61 rep movsd
        77F5BC63 mov ecx, edx
        77F5BC65 and ecx, 3
        ...
        77F5BC6D rep movsb

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc
cpe:/o:microsoft:windows_2003_server:r2
cpe:/o:microsoft:windows_2003_server:itanium
cpe:/o:microsoft:windows_2000::sp4::fr
cpe:/o:microsoft:windows_2003_server:sp1::itanium
cpe:/o:microsoft:windows_2003_server:sp1
cpe:/o:microsoft:windows_2003_server:64-bit
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_xp::sp1:tablet_pcMicrosoft windows xp_sp1 tablet_pc

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:701WMF Rendering Code Execution Vulnerability (64-bit Windows XP and Server 2003,SP1)
oval:org.mitre.oval:def:1546WMF Rendering Code Execution Vulnerability (32-bit Windows XP,SP1)
oval:org.mitre.oval:def:1263WMF Rendering Code Execution Vulnerability (64-bit Windows XP and Server 2003,Unpatched)
oval:org.mitre.oval:def:1175WMF Rendering Code Execution Vulnerability (32-bit Windows XP,SP2)
oval:org.mitre.oval:def:1063WMF Rendering Code Execution Vulnerability (Windows 2000)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2123
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2123
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-472
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/300549
(VENDOR_ADVISORY)  CERT-VN  VU#300549
http://www.us-cert.gov/cas/techalerts/TA05-312A.html
(UNKNOWN)  CERT  TA05-312A
http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx
(VENDOR_ADVISORY)  MS  MS05-053
http://www.eeye.com/html/research/advisories/AD20051108b.html
(VENDOR_ADVISORY)  MISC  http://www.eeye.com/html/research/advisories/AD20051108b.html
http://www.vupen.com/english/advisories/2005/2348
(UNKNOWN)  VUPEN  ADV-2005-2348
http://www.securityfocus.com/bid/15352
(UNKNOWN)  BID  15352
http://support.avaya.com/elmodocs2/security/ASA-2005-228.pdf
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2005-228.pdf
http://securitytracker.com/id?1015168
(UNKNOWN)  SECTRACK  1015168
http://secunia.com/advisories/17498
(UNKNOWN)  SECUNIA  17498
http://secunia.com/advisories/17461
(UNKNOWN)  SECUNIA  17461
http://secunia.com/advisories/17223
(UNKNOWN)  SECUNIA  17223

- 漏洞信息

Microsoft Windows图形渲染引擎整数溢出漏洞(MS05-053)
高危 缓冲区溢出
2005-11-29 00:00:00 2005-11-30 00:00:00
远程※本地  
        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows在渲染Windows图元文件(WMF)和增强型图元文件(EMF)图形格式时存在缓冲区溢出漏洞,成功利用这个漏洞的攻击者可以远程执行任意代码。
        负责解析Windows图元文件的GDI32.DLL代码的PlayMetaFileRecord函数中存在缓冲区溢出漏洞。该函数的36h和37h处理"SetPaletteEntries"-类型记录。如果记录的报告长度是7FFFFFFFh或FFFFFFFFh的话,以下代码就会出现整数溢出:
        77F5BC38 mov eax, [ebx] ; length field
        77F5BC3A lea eax, [eax+eax+2] ; *** integer overflow ***
        77F5BC3E push eax
        77F5BC3F push edi
        77F5BC40 call ds:LocalAlloc
        ...
        77F5BC51 mov ecx, [ebx] ; length field
        77F5BC53 add eax, 2
        77F5BC56 shl ecx, 1 ; copy size != allocation size
        77F5BC58 mov edx, ecx ; intrinsic memcpy() follows
        77F5BC5A mov esi, ebx
        77F5BC5C mov edi, eax
        77F5BC5E shr ecx, 2
        77F5BC61 rep movsd
        77F5BC63 mov ecx, edx
        77F5BC65 and ecx, 3
        ...
        77F5BC6D rep movsb

- 公告与补丁

        暂无数据

- 漏洞信息 (F41410)

Technical Cyber Security Alert 2005-312A (PacketStormID:F41410)
2005-11-09 00:00:00
US-CERT  us-cert.gov
advisory,remote,denial of service,arbitrary,vulnerability
windows
CVE-2005-2123,CVE-2005-2124,CVE-2005-0803
[点击下载]

Technical Cyber Security Alert TA05-312A - Microsoft has released updates that address critical vulnerabilities in Windows graphics rendering services. A remote, unauthenticated attacker exploiting these vulnerabilities could execute arbitrary code or cause a denial of service on an affected system.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


               National Cyber Alert System

         Technical Cyber Security Alert TA05-312A


Microsoft Windows Image Processing Vulnerabilities

   Original release date: November 08, 2005
   Last revised: --
   Source: US-CERT


Systems Affected

     * Microsoft Windows 2000
     * Microsoft Windows XP
     * Microsoft Windows Server 2003

   For more complete information, refer to Microsoft Security Bulletin
   MS05-053.


Overview

   Microsoft has released updates that address critical vulnerabilities
   in Windows graphics rendering services. A remote, unauthenticated
   attacker exploiting these vulnerabilities could execute arbitrary code
   or cause a denial of service on an affected system.


I. Description

   The Microsoft Security Bulletin for November 2005 addresses multiple
   buffer overflows in Windows image processing routines. Viewing a
   specially crafted image from an application that uses a vulnerable
   routine may trigger these vulnerabilities. If this application can
   access images from remote sources, such as web sites or email, then
   remote exploitation is possible.

   Further information is available in the following US-CERT
   Vulnerability Notes:

   VU#300549 - Microsoft Windows Graphics Rendering Engine buffer
   overflow vulnerability 

   Microsoft Windows Graphics Rendering Engine contains a buffer overflow
   that may allow a remote attacker to execute arbitrary code on a
   vulnerable system.
   (CVE-2005-2123)


   VU#433341 - Microsoft Windows vulnerable to buffer overflow via
   specially crafted "WMF" file 

   Microsoft Windows may be vulnerable to remote code execution via a
   buffer overflow in the Windows Metafile image format handling.
   (CVE-2005-2124)


   VU#134756 - Microsoft Windows buffer overflow in Enhanced Metafile
   rendering API 

   Microsoft Windows Enhanced Metafile Format image rendering routines
   contain a buffer overflow flaw that may allow an attacker to cause a
   denial-of-service condition.
   (CVE-2005-0803)


III. Solution

Apply Updates

   Microsoft has provided the updates to correct these vulnerabilities in
   Microsoft Security Bulletin MS05-053. These updates are also available
   on the Microsoft Update site.


II. Impact

   A remote, unauthenticated attacker exploiting these vulnerabilities
   could execute arbitrary code with the privileges of the user. If the
   user is logged on with administrative privileges, the attacker could
   take control of an affected system. An attacker may also be able to
   cause a denial of service.


Appendix A. References

     * Microsoft Security Bulletin MS05-053 -
       <http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx>

     * Microsoft Security Bulletin Summary for November 2005 -
       <http://www.microsoft.com/technet/security/bulletin/ms05-nov.mspx>

     * US-CERT Vulnerability Note VU#300549 -
       <http://www.kb.cert.org/vuls/id/300549>

     * US-CERT Vulnerability Note VU#433341 -
       <http://www.kb.cert.org/vuls/id/433341>

     * US-CERT Vulnerability Note VU#134756 -
       <http://www.kb.cert.org/vuls/id/134756>

     * Microsoft Update - <https://update.microsoft.com/microsoftupdate>

  
  _________________________________________________________________

   The most recent version of this document can be found at:

   <http://www.us-cert.gov/cas/techalerts/TA05-312A.html> 
  _________________________________________________________________

   Feedback can be directed to US-CERT.  Please send email to:
   <cert@cert.org> with "TA05-312A Feedback VU#300549" in the subject.
  _________________________________________________________________

   Revision History

   Nov 08, 2005: Initial release
  _________________________________________________________________

   Produced 2005 by US-CERT, a government organization.
  
   Terms of use

   <http://www.us-cert.gov/legal.html>
  _________________________________________________________________

   For instructions on subscribing to or unsubscribing from this 
   mailing list, visit <http://www.us-cert.gov/cas/>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ3E5BH0pj593lg50AQISLAf+NMAgk3Up6wWphjOIQ89miwTHvpXHGmIH
/mxHQ3PoN82NPkr8NmnLHhNAHqi8+ZI15lrympvr6xvm8C8FTxPU+dCa9CxS3c4l
FLbTDbACHeD/OYwgvbE70Gx5ZUG95MMXgCRMHGiwIHaSHRspUQRMjRN5JubPjsyL
S737+Yr19hMw6JQOWhM+Pn0MyAs6qm+4gfnIxO2Z1PsmpnushpqW505U6B6ZkF7W
zCU0zecdwtZCMhWTu+3L/MqAjzt7VCsd2iC+0HS7WLvAcWoFcEvlL6Ai/E/eJLDm
HQnO34E8231CcKRT4VACvs1QPFV1pvw1pihOAXveiBFoHpCIdPLc6g==
=faQS
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F41408)

EEYEB-20050901.txt (PacketStormID:F41408)
2005-11-09 00:00:00
Fang Xing  eeye.com
advisory,web,arbitrary,code execution
windows
CVE-2005-2123
[点击下载]

eEye Security Advisory - eEye Digital Security has discovered a vulnerability in the way the Windows Graphical Device Interface (GDI) processes Windows Metafile (WMF) format image files that would allow arbitrary code execution as a user who attempts to view a malicious image. An attacker could send such a metafile to a victim of his choice over any of a variety of attack vectors, including an HTML e-mail, a link to a web page, a metafile-bearing Microsoft Office document, or a chat message.

Windows Metafile SetPalette Entries Heap OVerflow Vulnerability
(Graphics Rendering Engine Vulnerability)

Release Date:
November 8, 2005

Date Reported:
September 1, 2005

Severity:
High (Code Execution)

Vendor:
Microsoft

Systems Affected:
Windows 2000
Windows XP SP0, SP1
Windows Server 2003 SP0

Overview:
eEye Digital Security has discovered a vulnerability in the way the
Windows Graphical Device Interface (GDI) processes Windows Metafile
(WMF) format image files that would allow arbitrary code execution as a
user who attempts to view a malicious image.  An attacker could send
such a metafile to a victim of his choice over any of a variety of
attack vectors, including an HTML e-mail, a link to a web page, a
metafile-bearing Microsoft Office document, or a chat message.

Technical Details:
The code in GDI32.DLL responsible for rendering Windows Metafiles
contains an integer overflow vulnerability in the function
PlayMetaFileRecord, cases 36h and 37h, which handle
"SetPaletteEntries"-type records.  If the reported length of such a
record is 7FFFFFFFh or FFFFFFFFh, the following code will experience an
integer overflow and can be made to allocate an insufficient heap block,
the success of which incorrectly implies the validity of the length:

    77F5BC38    mov     eax, [ebx]         ; length field
    77F5BC3A    lea     eax, [eax+eax+2]   ; *** integer overflow ***
    77F5BC3E    push    eax
    77F5BC3F    push    edi
    77F5BC40    call    ds:LocalAlloc
     ...
    77F5BC51    mov     ecx, [ebx]         ; length field
    77F5BC53    add     eax, 2
    77F5BC56    shl     ecx, 1             ; copy size != allocation
size
    77F5BC58    mov     edx, ecx           ; intrinsic memcpy() follows
    77F5BC5A    mov     esi, ebx
    77F5BC5C    mov     edi, eax
    77F5BC5E    shr     ecx, 2
    77F5BC61    rep movsd
    77F5BC63    mov     ecx, edx
    77F5BC65    and     ecx, 3
     ...
    77F5BC6D    rep movsb

Although the copy length is similarly subject to an integer overflow,
the two differ by a "+2" term, and therefore the allocation size can be
made very small while keeping the copy length extremely large.  The
result is a complete heap overwrite with arbitrary binary data from the
metafile.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink Endpoint Protection proactively protects users from this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

Credit:
Fang Xing

Related Links:
This vulnerability has been assigned the following IDs;

EEYEB-20050901
OSVDB ID: 
CVE ID: CAN-2005-2123

Greetings:
Thanks Derek and and eEye guys help me wrote this advisory. Greeting
xfocus guys and venustech lab guys.

Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

20579
Microsoft Windows GDI Metafile SetPalette Entries Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

A remote overflow exists in Windows. The PlayMetaFileRecord function fails to validate "SetPaletteEntries"-type records resulting in an integer overflow. With a specially crafted Windows MetaFile, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-11-08 Unknow
Unknow 2005-11-08

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows Graphics Rendering Engine WMF/EMF Format Code Execution Vulnerability
Boundary Condition Error 15352
Yes Yes
2005-11-08 12:00:00 2009-07-12 05:56:00
Discovery is credited to eEye Digital Security.

- 受影响的程序版本

Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP 64-bit Edition
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Avaya Unified Communications Center S3400
Avaya S8100 Media Servers R9
Avaya S8100 Media Servers R8
Avaya S8100 Media Servers R7
Avaya S8100 Media Servers R6
Avaya S8100 Media Servers R12
Avaya S8100 Media Servers R11
Avaya S8100 Media Servers R10
Avaya S8100 Media Servers 0
+ Microsoft Windows 2000 Server
+ Microsoft Windows NT Server 4.0 SP6a
Avaya Modular Messaging (MAS)
Avaya IP600 Media Servers R9
Avaya IP600 Media Servers R8
Avaya IP600 Media Servers R7
Avaya IP600 Media Servers R6
Avaya IP600 Media Servers R12
Avaya IP600 Media Servers R11
Avaya IP600 Media Servers R10
Avaya IP600 Media Servers
Avaya DefinityOne Media Servers R9
Avaya DefinityOne Media Servers R8
Avaya DefinityOne Media Servers R7
Avaya DefinityOne Media Servers R6
Avaya DefinityOne Media Servers R12
Avaya DefinityOne Media Servers R11
Avaya DefinityOne Media Servers R10
Avaya DefinityOne Media Servers

- 漏洞讨论

Microsoft Windows WMF/EMF graphics rendering engine is affected by a remote code execution vulnerability.

The problem presents itself when a user views a malicious WMF or EMF formatted file causing the affected engine to attempt to parse it. Exploitation of this issue can trigger an integer overflow that may facilitate heap memory corruption and arbitrary code execution.

Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine. Successful exploitation can facilitate a remote compromise or local privilege escalation.

- 漏洞利用

A proof of concept denial of service exploit is available by Winny Thomas. The Microsoft advisory concerning this BID addresses multiple issues, and due to a lack of details it is currently uncertain which exact issue this program exploits. The creator of this issue states that MS05-053 stops successful exploitation of the targeted issue.

- 解决方案

Microsoft has released a bulletin that includes fixes to address this issue for supported versions of the operating system.

Avaya advisory ASA-2005-228 has been released to identify vulnerable Avaya packages. Avaya recommends customers to apply fixes supplied by Microsoft. Please see the referenced advisory for more information.


Microsoft Windows Server 2003 Datacenter Edition SP1

Microsoft Windows XP Media Center Edition SP2

Microsoft Windows Server 2003 Enterprise Edition Itanium SP1

Microsoft Windows XP Tablet PC Edition SP1

Microsoft Windows XP Tablet PC Edition SP2

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

Microsoft Windows Server 2003 Datacenter x64 Edition

Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows XP Home SP2

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Home SP1

Microsoft Windows Server 2003 Web Edition SP1

Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

Microsoft Windows XP Professional SP2

Microsoft Windows XP 64-bit Edition

Microsoft Windows Server 2003 Standard x64 Edition

Microsoft Windows 2000 Server SP4

Microsoft Windows 2000 Professional SP4

Microsoft Windows XP Professional SP1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站